Docs: align integrations + add platform test script

Author: ConnorWhelan11

README.md

@@ -3,7 +3,7 @@
 </p>
 
 <p align="center">
-  <a href="https://github.com/medica/clawdstrike/actions"><img src="https://img.shields.io/github/actions/workflow/status/medica/clawdstrike/ci.yml?branch=main&style=flat-square&logo=github&label=CI" alt="CI Status"></a>
+  <a href="https://github.com/backbay-labs/hushclaw/actions"><img src="https://img.shields.io/github/actions/workflow/status/backbay-labs/hushclaw/ci.yml?branch=main&style=flat-square&logo=github&label=CI" alt="CI Status"></a>
   <a href="https://crates.io/crates/clawdstrike"><img src="https://img.shields.io/crates/v/clawdstrike?style=flat-square&logo=rust" alt="crates.io"></a>
   <a href="https://docs.rs/clawdstrike"><img src="https://img.shields.io/docsrs/clawdstrike?style=flat-square&logo=docs.rs" alt="docs.rs"></a>
   <a href="LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue?style=flat-square" alt="License: MIT"></a>
@@ -69,42 +69,40 @@ Runtime security enforcement for AI agents. Composable guards, cryptographic rec
 
 ## Quick Start
 
-```typescript
-// openclaw.config.ts
-import { clawdstrike } from "@clawdstrike/openclaw";
-
-export default {
-  plugins: [
-    clawdstrike({
-      ruleset: "ai-agent",
-      signing: { enabled: true },
-    }),
-  ],
-};
+### CLI (Rust)
+
+```bash
+cargo install --path crates/hush-cli
+
+hush policy list
+hush check --action-type file --ruleset strict ~/.ssh/id_rsa
 ```
 
-Or use standalone:
+### TypeScript (tool boundary)
 
-```typescript
-import { HushEngine, JailbreakDetector } from "@clawdstrike/sdk";
+TypeScript does not ship a full policy engine; use the Rust CLI/daemon for evaluation. `@clawdstrike/hush-cli-engine` requires `hush` on your PATH (or pass `hushPath`).
 
-const engine = new HushEngine({ ruleset: "strict" });
-const detector = new JailbreakDetector();
+```typescript
+import { createHushCliEngine } from "@clawdstrike/hush-cli-engine";
+import { BaseToolInterceptor, createSecurityContext } from "@clawdstrike/adapter-core";
 
-// Check file access
-const result = await engine.checkFileAccess("~/.ssh/id_rsa", ctx);
-if (!result.allowed) throw new Error("Blocked by policy");
+const engine = createHushCliEngine({ policyRef: "default" });
+const interceptor = new BaseToolInterceptor(engine, { blockOnViolation: true });
+const ctx = createSecurityContext({ sessionId: "session-123" });
 
-// Detect jailbreaks
-const detection = await detector.detect(userMessage, sessionId);
-if (detection.blocked) return "I can't process that request.";
+const preflight = await interceptor.beforeExecute("bash", { cmd: "echo hello" }, ctx);
+if (!preflight.proceed) throw new Error("Blocked by policy");
 ```
 
+### OpenClaw plugin
+
+See `packages/clawdstrike-openclaw/docs/getting-started.md`.
+
 ## Highlights
 
 | Feature | Description |
 |---------|-------------|
-| **9 Built-in Guards** | Path, egress, secrets, patches, tools, prompt injection, jailbreak, output sanitization, watermarking |
+| **7 Built-in Guards** | Path, egress, secrets, patches, tools, prompt injection, jailbreak |
 | **4-Layer Jailbreak Detection** | Heuristic + statistical + ML + optional LLM-as-judge with session aggregation |
 | **Output Sanitization** | Redact secrets, PII, internal data from LLM output with streaming support |
 | **Prompt Watermarking** | Embed signed provenance markers for attribution and forensics |
@@ -123,7 +121,7 @@ if (detection.blocked) return "I can't process that request.";
 We take security seriously. If you discover a vulnerability:
 
 - **For sensitive issues**: Email [connor@backbay.io](mailto:connor@backbay.io) with details. We aim to respond within 48 hours.
-- **For non-sensitive issues**: Open a [GitHub issue](https://github.com/backbay-labs/clawdstrike/issues) with the `security` label.
+- **For non-sensitive issues**: Open a [GitHub issue](https://github.com/backbay-labs/hushclaw/issues) with the `security` label.
 
 ## Contributing
 

docs/src/concepts/architecture.md

@@ -7,7 +7,7 @@ The intended integration is at the **tool boundary** (your agent runtime calls C
 
 ## System Overview
 
-```
+```text
 ┌─────────────────────────────────────────────────────────────────────────────────────┐
 │                                    HushEngine                                        │
 │  ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐    │
@@ -56,7 +56,7 @@ The intended integration is at the **tool boundary** (your agent runtime calls C
 
 | Package | Description |
 |---------|-------------|
-| `@clawdstrike/sdk` | Core TypeScript SDK with full guard parity |
+| `@clawdstrike/sdk` | Crypto/receipts + a subset of guards + prompt-security utilities (no full policy engine) |
 | `@clawdstrike/adapter-core` | Framework-agnostic adapter interfaces |
 | `@clawdstrike/openclaw` | OpenClaw plugin |
 | `@clawdstrike/vercel-ai` | Vercel AI SDK integration |
@@ -67,7 +67,7 @@ The intended integration is at the **tool boundary** (your agent runtime calls C
 
 | Package | Description |
 |---------|-------------|
-| `hush-py` | Pure Python SDK with optional PyO3 bindings |
+| `hush` | Pure Python SDK (repo: `packages/hush-py`) |
 
 ## Data flow (typical integration)
 
@@ -127,7 +127,7 @@ For deeper integration scenarios, Clawdstrike provides Inline Reference Monitors
 
 IRMs integrate with the guard pipeline:
 
-```rust
+```rust,ignore
 use clawdstrike::irm::{IrmRouter, FilesystemIrm, NetworkIrm};
 
 let router = IrmRouter::new()

docs/src/concepts/design-philosophy.md

@@ -26,7 +26,7 @@ guards:
 
 Clawdstrike is one layer in a defense-in-depth strategy. It enforces policy at the **tool boundary**—the interface between your agent runtime and the actions it performs.
 
-```
+```text
 ┌─────────────────────────────────────────────────────────────┐
 │                     Your Agent Runtime                       │
 │  ┌─────────────────────────────────────────────────────┐    │
@@ -66,7 +66,7 @@ These are distinct concepts that should not be conflated:
 
 Receipts prove what Clawdstrike observed and decided under a specific policy. They do not prove that the underlying OS prevented all side effects. A signed receipt is only as strong as the integration.
 
-```rust
+```rust,ignore
 // Enforcement: your runtime decides based on GuardResult
 let result = engine.check_file_access("/etc/passwd", &ctx).await?;
 if !result.allowed {
@@ -93,7 +93,7 @@ This composability lets you:
 2. **Layer multiple checks.** A file write might pass `ForbiddenPathGuard` but fail `SecretLeakGuard`.
 3. **Add custom guards.** Extend `HushEngine` with your own guards via the `Guard` trait.
 
-```rust
+```rust,ignore
 // Guards evaluate in order, fail-fast or aggregate
 let report = engine.check_action_report(&action, &context).await?;
 for evidence in &report.evidence {
@@ -129,26 +129,19 @@ When detecting sensitive content (jailbreaks, secrets, PII), Clawdstrike:
 }
 ```
 
-## Multi-Language Parity
-
-Clawdstrike maintains functional parity across Rust, TypeScript, and Python:
+## Multi-language support
 
-| Feature | Rust | TypeScript | Python |
-|---------|------|------------|--------|
-| Guards | Full | Full | Full |
-| Policy Engine | Full | Full | Full |
-| Receipts & Signing | Full | Full | Full |
-| Jailbreak Detection | Full | Full | Full |
-| Output Sanitization | Full | Full | Full |
+Rust is the reference implementation for policy evaluation and enforcement. TypeScript and Python focus on:
 
-The Rust implementation is the reference. TypeScript and Python implementations use the same algorithms and produce compatible outputs.
+- **Interop** (crypto/receipts)
+- **Integration glue** (framework adapters)
 
-## Explicit Over Implicit
+See [Multi-Language & Multi-Framework Support](./multi-language.md) for the current status by language and package.
 
-Clawdstrike prefers explicit configuration over magic behavior:
+## Explicit over implicit
 
-- **No `enabled: false`.** To disable a guard, configure it to allow everything explicitly.
-- **No hidden defaults.** Default patterns are documented in each guard's reference.
-- **No silent failures.** Invalid configuration fails loudly at load time.
+Clawdstrike prefers explicit, auditable configuration:
 
-This explicitness makes policies auditable. You can read a policy file and understand exactly what it permits and denies.
+- **Unknown fields are rejected** (fail-closed) where parsing is security-critical.
+- **Invalid patterns fail at load time** (glob/regex validation), not at check time.
+- **Policy linting** (`hush policy lint`) catches risky defaults and common mistakes early.

docs/src/concepts/guards.md

@@ -6,7 +6,7 @@ Guards are small, focused checks that evaluate a single action against policy/co
 
 In Rust:
 
-```rust
+```rust,ignore
 #[async_trait]
 pub trait Guard: Send + Sync {
     fn name(&self) -> &str;
@@ -37,5 +37,6 @@ Clawdstrike ships with:
 - `PatchIntegrityGuard`
 - `McpToolGuard`
 - `PromptInjectionGuard`
+- `JailbreakGuard`
 
 See the [Guards reference](../reference/guards/README.md) for configs and details.